Online Health Data in Employers’ and Insurers’ Predictive Analytics

Did you know that buying generics instead of brands could hurt your credit? Or that a subscription to Hang Gliding Monthly could scare off life insurers? Or that certain employers’ access to electronic health records could lead them to classify you as “high-risk” or “high-cost”?

In all these cases, firms use “predictive analytics” to maximize profits. Consumers are the guinea pigs for these new “sciences” of the human. As Scott Peppet argues, it becomes more difficult to opt out of analytics systems as more people use them. What type of world are they leading us to?

Credit Analytics: Should Frugality be Punished?

One credit analytics company determined that buyers of cheap automotive oil were “much more likely to miss a credit-card payment” than those who paid for a brand-name oil. Spending on therapy sessions may also be a red flag. Appearing too frugal, too anxious, too spendthrift—all might lead to higher interest rates or lower credit limits. One R&D head at a credit analytics firm bragged that they consider over 300 characteristics to discover delinquency risk. He was not nearly as forthcoming about how the data is aggregated. Analyzing millions of transactions, the companies observe customers as a gardener might observe a rose garden: weeding out unpromising specimens, and giving a boost to incipient flourishers.

Many have complained about inaccuracy in these new forms of profiling, and consumers’ inability to review and correct digital dossiers collected about them. But let’s just assume that this profiling is correct, and choosing a generic really does correlate with increased credit risk. What’s the social value of this discovery? Maybe credit card companies can reduce rates infinitesimally (and increase profits) by burdening the generic buyers. But I’d be willing to bet that, for every few people whose generic purchases indicate financial trouble, there is another shopper who’s wisely frugal and increasing her chances of successfully repaying all her loans. It seems very odd to penalize the financially responsible merely because they happen to engage in an activity shared by the distressed.

The Dream of the Perfect Profile

Ahh, predictive analysts might reply, you just oversimplify our process. We would never reduce the credit line of someone who purchases generics if that person also, say, has a subscription to Travel and Leisure, or drives a Nexus, or gives over $1,000 a year to the Republican National Committee. They’re not desperate—they’re just careful shoppers. The more information we have, the more fair and accurate we can be. (I can only propose this response, since the industry is so careful about protecting its trade secrets. But this seems like a plausible counterargument.)

Just as free speech advocates often say that the answer to “bad speech” is more or “counter” speech, predictive analysts may argue that the cure for the mistreatment of any given individual is more information about the person’s true motives or opportunities. If privacy advocates are worried that certain surveillance practices will unfairly tarnish the reputation or profile of an individual, the answer is more, not less, information, on that person. The more comprehensive a picture that firms can develop of the individual, the better they are able to properly target resources.

Whatever the merits of this approach, it appears to me that it only applies to one dimension of the credit analytics example above. Rewarding “brand buyers,” in general, is not that likely to alter behavior in ways that could seriously undermine someone’s quality of life. But effectively punishing those who seek therapy or marriage counseling creates a different set of concerns, showing once again the ways in which health care decisionmaking needs to be distinct from the Procrustean forces of market pressures.

Stressed by Sickness in the Risk Society

A recent article by Sharona Hoffman illuminates some problems with pervasive use of health data in predictive analytics.

Employers may obtain and process EHRs [electronic health records] for a variety of reasons. Many require applicants who have received employment offers to provide authorizations for release of medical records in order to verify the individuals’ fitness for duty. At times, employers require records for purposes of workers’ compensation claims, reasonable accommodation requests by individuals with disabilities, or Family Medical Leave Act (FMLA) requests. Employers who are self-insured also process employees’ medical data in order to pay insurance claims.

EHRs will likely provide employers with unprecedented amounts of data. . . . Employers or their hired experts may develop complex scoring algorithms based on EHRs to determine which individuals are likely to be high-risk and high-cost workers. . . . Employers with access to EHRs containing a wealth of medical information may be sorely tempted to exclude certain individuals from the workforce because of concerns about the employees’ future productivity, absenteeism, or medical costs. To disguise unlawful conduct, employers may not act immediately to withdraw a job offer or terminate an employee, but rather, decide not to promote an individual with a disability or to select her for a layoff at a later time.

In other words, predictive analytics in health can lead to more “death spirals” for the sick: lost employment, lost insurance due to that lost employment, and future inability to find work due to poor health. Hoffman’s concerns about employers sidestepping relevant regulations were reflected in today’s WSJ article on insurance profiling, too:

[G]iant data-collection firms . . . sort details of online and offline purchases to help categorize people as runners or hikers, dieters or couch potatoes. They scoop up public records such as hunting permits, boat registrations and property transfers. They run surveys designed to coax people to describe their lifestyles and health conditions. Increasingly, some gather online information, including from social-networking sites.

For insurers and data-sellers alike, the new techniques could open up a regulatory can of worms. The information sold by marketing-database firms is lightly regulated. But using it in the life-insurance application process would “raise questions” about whether the data would be subject to the federal Fair Credit Reporting Act, says Rebecca Kuehn of the Federal Trade Commission’s division of privacy and identity protection. The law’s provisions kick in when “adverse action” is taken against a person, such as a decision to deny insurance or increase rates. The law requires that people be notified of any adverse action and be allowed to dispute the accuracy or completeness of data, according to the FTC. Deloitte and the life insurers stress the databases wouldn’t be used to make final decisions about applicants. Rather, the process would simply speed up applications from people who look like good risks.

Many aspects of FCRA have been rendered irrelevant by the all-importance of credit scoring—it’s hard to care too much about one’s ability to “correct” one’s credit report if the only thing that really matters is a score whose calculation only contingently depends on any given piece of information in the report. But I had not heard before Deloitte’s assurance that information would “simply speed up” applications, and not “be used to make final decisions.” Quite the creative lawyering behind that distinction.

Relating the Real and the Digital Body

Dan Solove has written extensively on the “digital person,” and perhaps we can see predictive health analytics as an effort to create a “digital body.” As the WSJ reports, we are reaching a point where online “data can reveal nearly as much about a person as a lab analysis of their bodily fluids.” The least we can ask is for the purveyors of data-driven decisionmaking to be much clearer about how they profile individuals. Moreover, in the case of employment, we should seriously consider expanding disability discrimination laws to prevent employers from stratifying employees based on health data. Profits are important, but they shouldn’t come at the expense of sick people who already have enough problems to contend with. As HHS implements PPACA’s promotion of “wellness programs” at workplaces, they should also try to avoid the “Orwellness” of data-driven health profiling.

X-Posted: Concurring Opinions.

Medicare, Hospitals, Serious Harm and Death

The Inspector General of the Department of Health and Human Services, Daniel R. Levinson, published an Op-ed in USA Today that is well worth considering.  The column, entitled “Medical mistakes plague Medicare patients,” speaks volumes. Levinson writes:

Today’s hospitals are modern-day marvels of healing, and we expect them to be models of patient safety as well. But a just-released report from my office shows that medical care is falling short for too many hospitalized Medicare patients. A decade after an Institute of Medicine study placed preventable medical errors among the leading causes of death in the United States, our latest study found that a disturbing number of hospitalized patients still endure harmful consequences from medical care, 44% of them preventable. These instances, which the report calls “adverse events,” include infections, surgical complications and medication errors

Such occurrences are not always preventable, particularly since many Medicare patients are elderly and have complicated health problems. But enough patient harm is avoidable to make a strong case for action. Hospitals must improve, but they need the help of lawmakers, medical professionals and patients to do so.

We’ve written about this issue before here on HRW (in the context of various calls for medical malpractice reform as part of health care reform and studies that show hospital staff neither washing their hands regularly nor utilizing the simple but effective surgical checklist). The Institute of Medicine study Inspector General Levinson referred to estimated 98,000 deaths per year. Last year I wrote:

Bloomberg reports that “The U.S. Institute of Medicine found a decade ago that medical errors kill 98,000 Americans a year” according to Les Weisbrod, president of the Washington-based trial lawyers’ group, the American Association of Justice.

According to Medical News Today, the medical error fatality figures above were supported by “Dr. Chunliu Zhan and Dr. Marlene R. Miller in a research study published in the Journal of the American Medical Association (JAMA) in October of 2003. The Zhan and Miller study supported the Institute of Medicine’s (IOM) 1999 report conclusion, which found that medical errors caused up to 98,000 deaths annually and should be considered a national epidemic.

A study by HealthGrades found more than twice that number in “potentially preventable deaths.”

And now this study. Look at the numbers; they aren’t pretty–and they cast some present doubt on the 98,000 number if one considers the rubric, “contributed to their deaths.” Levinson writes:

Errors prolonged hospital stays

This study began in response to a congressional mandate to determine the number of harmful medical events Medicare patients experienced, and the cost to taxpayers. My office arranged for physician reviewers to examine a random sample of 780 Medicare patients discharged from hospitals around the country during the month of October 2008.

Physicians determined that about one in seven patients (13.5%) experienced at least one serious instance of harm from medical care that prolonged their hospital stay, caused permanent harm, required life-sustaining intervention, or contributed to their deaths. Projected to the entire Medicare population, this rate means an estimated 134,000 hospitalized Medicare beneficiaries experienced harm from medical care in one month, with the event contributing to death for 1.5%, or approximately 15,000 patients.

That’s per month. Some quick math will give us the yearly death figure: 15,000 x 12 months = 180,000 per year. And that’s just Medicare patients.

The “seriously harmed” equals 1,608,000 per year. Again, just Medicare.

Levinson continues:

Strikingly, medication errors factored in more than half the patient fatalities in our sample, including use of the wrong drug, giving the wrong dosage, or inadequately treating known side effects. Such events were commonly caused by hospital staff diagnosing patients incorrectly or failing to closely monitor their conditions.

Less serious harm also occurred. An additional one in seven hospitalized Medicare patients experienced temporary problems, such as allergic reactions or injuries from falls. And many experienced multiple events, including an elderly heart patient who had six separate events during a single hospital stay. Obviously, this situation is unacceptable — and expensive, costing taxpayers more than $4 billion a year due to the need for additional treatment or longer hospitalizations (and even more if you add costs for follow-up care).

I’ve said it before and I’ll say it again. “Seemingly, one would define “defensive medicine” as that which a doctor [or hospital] does, which he or she would not do, if solely exercising his or her [or its] discretion without the fear of being sued. Therefore, might I suggest that “defensive medicine” is only excessive if the doctor’s [or hospital's] best estimation of the situation is correct.”

You can read the rest of Inspector General Levinson’s Op-ed here. He offers some direction– much needed direction.

Privacy Paradigms: From Consent to Reciprocal Transparency

Computational innovation may improve health care by creating stores of data vastly superior to those used by traditional medical research. But before patients and providers “buy in,” they need to know that medical privacy will be respected. We’re a long way from assuring that, but new ideas about the proper distribution and control of data might help build confidence in the system.

William Pewen’s post “Breach Notice: The Struggle for Medical Records Security Continues” is an excellent rundown of recent controversies in the field of electronic medical records (EMR) and health information technology (HIT). As he notes,

Many in Washington have the view that the Health Insurance Portability and Accountability Act (HIPAA) functions as a protective regulatory mechanism in medicine, yet its implementation actually opened the door to compromising the principle of research consent, and in fact codified the use of personal medical data in a wide range of business practices under the guise of permitted “health care operations.” Many patients are not presented with a HIPAA notice but instead are asked to sign a combined notice and waiver that adds consents for a variety of business activities designed to benefit the provider, not the patient. In this climate, patients have been outraged to receive solicitations for purchases ranging from drugs to burial plots, while at the same time receiving care which is too often uncoordinated and unsafe. It is no wonder that many Americans take a circumspect view of health IT.

Privacy law’s consent paradigm means that, generally speaking, data dissemination is not deemed an invasion of privacy if it is consented to. The consent paradigm requires individuals to decide whether or not, at any given time, they wish to protect their privacy. Some of the brightest minds in cyberlaw have focused on innovation designed to enable such self-protection. For instance, interdisciplinary research groups have proposed “personal data vaults” to manage the emanations of sensor networks. Jonathan Zittrain’s article on “privication” proposed that the same technologies used by copyrightholders to monitor or stop dissemination of works could be adopted by patients concerned about the unauthorized spread of health information.

If individuals had enough time to manage their personal data the way they manage their checkbooks and gardens, perhaps the consent paradigm would be a good foundation for addressing public concerns about privacy. If applicants could easily bargain with would-be employers over privacy, or patients with hospitals, perhaps we could rely on them to protect their interests. But actual occurrences of such acts of self-assertion and self-protection are rare. Given the frequently abstract benefits that privacy and reputational integrity afford, they are often traded away for competitive economic advantage. This process further erodes societal expectations of privacy.

A collective commitment to privacy is far more valuable than a private, transactional approach that all but guarantees a race to the bottom. If such a collective commitment does not materialize, record systems will only deserve trust if they become as transparent as the patients and research subjects they profile. Given corporate assertion of trade secrecy (and even privacy rights), reciprocal transparency will not be easy to achieve. Nevertheless, repeated breaches, fraud, and data meltdowns in the US should provoke an alliance of socially responsible researchers to lobby the US government to set minimal standards of reciprocal transparency and auditing. Consumers can only trust innovators if they can understand what is being done with data. As we become “transparent citizens” (as Joel Reidenberg puts it), we should demand that the corporate, university, and governmental authors of that trend reciprocate, and become more open about the data they gather.

Fortunately, as a recent presentation by Deborah Peel reminded me, there is significant audit authority built into the recent HITECH act which may curb some abuses. Audits will become increasingly important as a “wild west” of health data is excavated by scrapers, marketers, and other data miners.

Consider, for instance, the following scenario: contributors to the medical website PatientsLikeMe.com found that “Nielsen Co., [a] media-research firm . . . was ‘scraping,’ or copying, every single message off PatientsLikeMe’s private online forums.” Had the virtual break-in not been detected, health attributes connected to usernames (which, in turn, can often be linked to real identities) could have spread into numerous databases. A reciprocal transparency paradigm would require all those harboring health data to have some certified indication of its legitimate provenance. Data would not be allowed to persist without certification of its provenance.

Unforeseen spread of inaccurate or inappropriate health data is not just a problem for those who want to avoid getting solicitations for burial plots after a sensitive appointment. Given law enforcement exceptions to medical privacy laws and regulations, it should come as little surprise that the government claims that “a 2005 law authorizes it to monitor and record all prescription drug use by all citizens via so-called “Prescription Drug Monitoring Programs.” Such programs may just be the tip of an iceberg of new domestic intelligence programs that rely on private companies to act as “big brother’s little helpers.”

Whenever health data is fed into an evaluative profile of an individual, there should be safeguards in place to assure that the data is accurate, and that the resulting profile is, if at all possible, not used to harm or disadvantage the individual. Without assurances like these, we can count on continued resistance to the development of health data infrastructures.

Reform Rodeo

1. The American Medical Association: In the face of new health reform requirements that are now in effect, many of the top insurers have dropped child-only health plans.

2. Kaiser Health News Daily Report: Health Care reform’s elimination of discrimination based on pre-existing conditions has not fully materialized; In a sign of what could be a backlash against health care reform, the 3M corporation announced that it will stop offering its health insurance plan to retirees. Click here for the Daily Report.

3. In a sea of pessimism, the New England Journal of Medicine explores the lessons of a health care success story: Grand Junction, Colorado — one of the cities that Atul Gawande detailed in his celebrated article in the New Yorker.

4. At the Health Care Blog, Michael Lake explores recent trends in HIT, while providing many helpful links.

5. Webcast 1: On Tuesday, October 5th: Maggie Mahar and others will be participating in a webcast where they will discuss health care reform. Click here for Mahar’s overview on her Health Beat blog, including a link to the freely-accessible live stream.

Reform Rodeo

[Ed. Note: HRW welcomes back Jordan Cohen from his work in Washington at HHS this summer-- the place just wasn't the same without him]

Waste: The New York Times provides an overview of a new study detailing health care wastefulness — which the Times reports as being the first study to quantify the problem.

Berwick’s Pilots: Newly appointed Medicare director Donald Berwick is pushing for hundreds of new pilot programs that would seek to innovate the delivery of health care.

Prognostication: The Health Care Blog’s David Kibbe and Brian Klepper look beyond meaningful use and distill five future trends of patient health data and clinical health information technology.

Meaningful Use FAQs: For those with questions on meaningful use, John Halamka has created FAQs.

PPACA and Employees: Researchers at RAND have published a study predicting PPACA’s effect on workers’ health insurance coverage.

Medicaid Outside the Box: Health Affairs’ Michael O’Grady and Jennifer Baxendell Young have published a post that discusses new ideas for Medicaid financing.

RFID Tags for Nurses, then Everybody?

The recent City of Ontario v. Quon decision has had a mixed reception among privacy advocates. Though many are disappointed that employees’ privacy rights have once again been narrowed, some have discerned helpful dicta in the case. However, I worry that, whatever the drift of thought among swing justices, economic imperatives and cultural shifts will mean a lot less privacy in the workplace of the future. Health care in particular offers a few interesting bellwethers.

As an opinion piece by Theresa Brown explains, maintaining proper staffing levels in hospitals is becoming increasingly difficult. Surveillance systems are offering one way to address the problem; work can be performed more intensively and efficiently as it is recorded and studied. But such monitoring has many troubling implications, according to Torin Monahan (in his excellent book, Surveillance in a Time of Insecurity):

The tracking of people [via Radio Frequency Identification Tags] represents a . . . mechanism of surveillance and social control in hospital settings. This includes the tagging of patients and hospital staff. . . . When administrators demand the tagging of nurses themselves, the level of surveillance can become oppressive. . . . [because nurses face] labor intensification, job insecurity, undesired scrutiny, and privacy loss. . . . To date, such efforts at top-down micromanagement of staff by means of RFID have met with resistance. . . . One desired feature for nurses and others is an ‘off’ switch on each RFID badge so that they can take breaks without subjecting themselves to remote tracking. (122)

Like the “nannycam” employed by many a wary parent, the nurse-cam may be seen as a way to protect the vulnerable. It may also increase the accuracy of evidence in malpractice cases. On the other hand, inserting a tireless electronic eye to monitor what is already an extremely stressful job may create many unintended consequences, or deter people from going into nursing altogether. Even advocates of pervasive surveillance recognize these difficulties.

The increasing pressure to monitor what happens inside hospitals reminds me of a recent article by Thomas Goetz in Wired (no link yet) on Google co-founder Sergey Brin’s quest to find a cure for Parkinson’s disease. As Goetz describes it, a new form of “high-speed science” depends on rapid accumulation of as much data as possible:

In Brin’s way of thinking, each of our lives is a potential contribution to scientific insight. We all go about our days, making choices, eating things, taking medications, doing things—generating what is inelegantly called data exhaust. . . . With contemporary computing power, that data can be tracked and analyzed. “Any experience that we have or drug that we may take, all those things are individual pieces of information. Individually, they’re worthless, they’re anecdotal. But taken together they can be very powerful.” In computer science, the process of mining such large data sets for useful associations is known as a market-basket analysis.

Goetz has promoted this as a new way to “do science in the petabyte age.”
Read more

The Community Health Data Initiative Launched

[Ed. Note: HRW is pleased to introduce Katherine Matos to the blog. Katherine is a 3^rd year student at Seton Hall Law and the principle inventor on a patent application in the field of medical imaging, resulting from her research as a student at Stevens Institute of Technology, from which she  graduated with degrees in biomedical engineering and history. She has published work in Health Law Outlook and now serves as an Editor. Read more]

On June 2, Health and Human Services (HHS) Secretary Kathleen Sibelius and Institute of Medicine (IOM) President Harvey Fineberg launched the Community Health Data Initiative (CHDI) at the IOM sponsored Community Health Data Forum in Washington.[i] The CHDI resulted from a March 11 roundtable between HHS and IOM regarding HHS health data usefulness in developing consumer-based electronic health care applications.[ii] As one of five HHS Flagship initiatives, the CHDI is a public-private effort to “help Americans understand health and health care performance in their communities — and to help spark and facilitate action to improve performance.”

Ultimately, a network of community health data suppliers (beginning with HHS) and data appliers (private innovators) will work together to create applications that:

“(1) raise awareness of community health performance,

(2) increase pressure on decision makers to improve performance, and

(3) help facilitate and inform action to improve performance.”

U.S. Department of Health & Human Services, HHS Open Government Plan, page 60, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf.

To begin the process, HHS will launch a new online Health Indicators Warehouse by the end of the year to provide the public with community health data, free of charge or any intellectual property constraint.[iii] “In every science-based endeavor, data are the key to the effective action,” said Dr. Fineberg at the Community Health Data Forum. “We need to make more creative and vigorous use of the data we generate now, and we need to create a demand-and-use cycle that will bring about even better information in the future.”[iv] While the National Center for Health Statistics continues to develop the Health Indicators Warehouse, an interim site with one downloadable data set has been made available on the CDC website.

When completed, hundreds (ultimately, thousands) of measures of health care quality, cost, access and public health will be downloadable in a standardized, structured format. “National, state, regional, and county health performance  on indicators such as rates of smoking, obesity, diabetes, access to healthy food, utilization of health care services” will be accessible in a single location.[v] Also, users will be able to sort data according to age, gender, race/ethnicity and income where available.

HHS is committed to personal privacy protection and confidentially “as a fundamental principle governing the collection and use of data.” In any public data releases, individual identifiable information will be protected. Furthermore, HHS will incorporate new approaches to protect confidentiality while maintaining public access into its data release policies.[vi]

To complete the network, HHS is working with private parties, including technology innovators, researchers, companies, and health advocacy groups to utilize the data and provide feedback.  ”As a nation, we can and should harness the exploding creativity in our information technology and media sectors to help us get the most public benefit out of our data investments,” stated Secretary Sebelius.[vii]

In preparation for the Community Health Data Forum, developers such as Microsoft, Google, and Ingenix created software platforms for the presentation of health data.[viii] The Forum featured demonstrations of Web tools for citizen access to health performance data, dashboards for civic leaders to ascertain and improve community health, an online game for learning local health status facts, an enhanced internet search engine that integrates hospital performance data with search results, and mobile phone applications.[ix]

Finally, White House Chief Technology Officer, Aneesh Copra, announced that the administration would host the 2010 Health 2.0 Developer Challenge with the support of HHS and the CHDI.[x] Health 2.0 will host a series of events including multi-disciplinary “code-a-thons,” culminating in the final Challenge at the Health 2.0 Annual Conference October 6-9, 2010.

References:

U.S. Department of Health & Human Services, HHS Open Government Plan, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf.

U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html.

Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

---

[i] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html.

[ii] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[iii] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html. U.S. Department of Health & Human Services, HHS Open Government Plan, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf.

[iv] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[v] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html.

[vi] U.S. Department of Health & Human Services, HHS Open Government Plan, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf, page 2.

[vii] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[viii] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[ix] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html

[x] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

Patient Safety and Quality Improvement: Civil Money Penalty Inflation Adjustment

By: Constantina Koulosousas

The Patient Safety and Quality Improvement Rule was amended, effective November 23, 2009, by the Department of Health and Human Services to adjust the maximum civil money penalty amount for violations of the confidentiality provisions. The amount was adjusted for inflation to comply with the Federal Civil Penalties Inflation Adjustment Act of 1990. This amendment was carried out through direct final rule making, as HHS expected no significant adverse comments to the rule.

The Patient Safety and Quality Improvement Act of 2005 created a voluntary program for health care providers to share what is known as “patient safety work product” (PSWP), or any information relating to patient safety events and concerns with each other and Patient Safety Organizations (PSOs). The Department of Health and Human Services is required to maintain a listing of all PSOs.

The Act amended Title IX of the Public Health Service Act for the purpose of improving patient safety and quality of care. As with attorney work product, this information is privileged and confidential. While the program may be voluntary, a knowing or reckless violation of the confidentiality requirements of the Act can result in a civil money penalty of up to $10,000 for each violation, as assessed by the Office for Civil Rights.

The deterrence effect of the civil money penalties had been reduced by inflation. This caused Congress to enact the Inflation Adjustment Act. This Act requires Federal agencies to issue regulations adjusting each civil money penalty found within the Public Health Service Act within their jurisdiction, for inflation. The agencies are required to issue these regulations at least once every four years from July 29, 2005, the date of its enactment. The inflation amount is adjusted through a three-step process.

First, the agency must calculate an increase in the penalty amount by a “cost-of-living adjustment.” “Cost-of-living adjustment” is defined in the act as the percentage for each civil monetary penalty by which the Consumer Price Index for the month of June of the calendar year preceding the adjustment, exceeds the Consumer Price Index for the month of June of the calendar year in which the amount of such civil money penalty was last set or adjusted pursuant to law.

Second, the amount of increase must be rounded based on the size of the penalty as set forth in section 5(a) of the Act. Since the penalty in this case is $10,000, the increase is $1,000, making the final maximum penalty amount $11,000. Finally, the third step requires that a first adjustment be limited to 10 percent of the penalty amount. Accordingly, an $11,000 adjusted penalty is appropriate.

One great benefit of the Act is to make sure that the penalties assessed for such violations provide adequate deterrence to potential violators. This is done by periodically increasing the violation amount to account for inflation over time. Especially now in the wake of the massive health care reform and improvements in the use of Electronic Health Records, it is important to ensure patients that their personal health information remains confidential and that a breach of this confidentiality requirement will result in steep monetary penalties.

On the contrary, many may argue that the increase in the penalty amount is not adequate. Since the Act imposes a 10% cap in addition to a standard chart for calculating the inflation, it may not always be completely in sync with the current economic environment. Further, these penalty amounts are only updated every four years, which leaves a significant gap in time.

Additionally, the slight increase in money penalties assessed will not do much to comfort patients that their health information is protected and confidential. Once the information gets out, there is no amount of money assessed as a violation that can remedy the breach and the damage which may have already been done. Further, to many of the entities involved in such violations, a $10,000 penalty may seem like an insignificant slap on the wrist.

The Act only punishes a “knowing or reckless” violation of the confidentiality provisions, so breaches that occur unintentionally will not subject physicians or PSOs to liability. This mental state requirement is especially important as electronic health record software gets ironed-out, to get rid of any technical issues or glitches that may arise in the course of implementing such a national electronic system.

Conversely, the “knowing or reckless” standard may pose some difficulties enforcing liability under the Act, as it may not always be easy to prove that the confidentiality breach was done with such a state of mind, or even where the disclosure came from.

Breach Notification for Unsecured Protected Health Information

By: Michael R. Spaltro

Gordon Moore, Intel co-founder, famously predicted that the speed of technology will double about every two years. Between 1981 and 1991, “computer processing speed increased tenfold, the instruction execution rate a hundred fold, system memory grew a thousand times, and system storage expanded by a factor of 10,000.” That was just the beginning. Intel has kept that pace for nearly 40 years, now introducing the world’s first 2-billion transistor microprocessor. The development of fundamental computer technology has translated into ubiquitous information technology infrastructure. Deploying information technology within the healthcare industry is significantly complicated by the indispensability of life and health to everything else we do. The privacy of electronic health records (”EHR”) that contain personally identifiable health information (”PHI”) is one area of particular concern.

Health care providers, health care plans, health care clearinghouses, and their business associates across the country are currently using EHRs as an efficient method to locally store patient records.[1] EHRs may contain patient treatment history, social and demographic data, and a multitude of other personal health information (”PHI”).[2] If the underlying computer technology continues to grow at the staggering pace predicted by Moore’s Law, the function of EHRs will expand to “assume a key roll in medical diagnosis and treatment management.”[3] Moreover, the Food and Drug Administration, in collaboration with public, academic, and private entities, is expected to use EHRs to link and analyze medical safety data from over 100 million patients by July 2012.[4] The resulting electronic network of interoperable healthcare data is of a scale never before contemplated in the industry. Personally identifiable health information, such as the data contained across local provider EHRs, health plan claims databases, and Medicare databases, will be remotely transmitted, stored, accessed, and analyzed.

Transmitting EHRs between an originating entity and the entity/infrastructure involved in research, development, and storage of EHRs, creates an increased potential for internal and external breach. Moreover, as EHRs become populated in local and remote institutions across the country, the incidence of breach ostensibly increases. In the event of breach, an individual may be exposed to a number of dangers. EHRs contain personal information of high value to computer hackers, such as social security numbers or payment information.[5] Furthermore, an otherwise legitimate entity could potentially use health information in a less nefarious way that nonetheless breaches individual privacy. How can we legally protect privacy while realizing the benefit of electronic health information technology?

The Health Insurance Portability and Accountability Act (”HIPAA”) shores up unauthorized access to protected health information. The HIPAA Security Rule and Privacy Rule require an entity such as a health plan, health care provider, business associate, or a health care clearinghouse, to safeguard all protected health information. Civil and criminal penalties are enforced against entities that fail to comply. The FDA’s qualified contractors[6] will similarly be subject to HIPAA under the Health Information Technology for Economic and Clinical Health (”HITECH”) Act by 2017.[7] Therefore, the entire electronic network of EHRs will be covered by the Privacy Rule and the Security Rule. Within covered entities, protected health information is to be stored with any security measure that allows an entity to reasonably and appropriately implement all safeguard requirements. The Security Rule approves that a covered entity may use firewalls and other access controls (such as passwords) to safeguard PHI in its electronic form. Without this intangible structure protecting EHRs, unauthorized parties could easily access PHI and PHI could easily flow out to any individual, device, or system that interoperates with EHR databases. The HIPAA Security Rule therefore assures that a covered entity is reasonably protecting an individual’s privacy by safeguarding personal health information.

Firewalls and other reasonable access controls are not impermeable. Earlier this year, an ultra sophisticated hack attack on Google penetrated the multi-billion dollar corporation, causing it to later withdraw from China. Merck & Co. and Cardinal Health Inc. were among others infiltrated in the attack. The extent of information exposed is still not fully understood. Thus, breaches occur even if reasonable and appropriate safeguards are required. The access controls required by HIPAA in the Security Rule are not sufficient to protect a vast network of interoperable EHRs. Further data encryption and/or secure data destruction will eventually be required to protect individual privacy.

Pursuant to the Privacy section of the HITECH Act, Title XIII Division A, Subtitle D, the Department of Health and Human Services (”HHS”) was required to promulgate breach notification for unsecured protected health information rules and regulations (”Breach Rule”). HHS issued a final rule, effective September 23, 2009, requiring all entities and business associates covered under HIPAA to provide notification in the cases of breaches of unsecured protected health information. Presumably, an individual who is made aware that his personal information was compromised is better equipped to mitigate identity theft or other harms that could arise.

The provisions in Section 13402 of the HITECH Act are consistent with HIPAA definitions of a “covered entity” and “protected health information.” The Act defines breach as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security of that information. In other words, if a firewall or reasonably appropriate access control is breached — a covered entity must report that breach to all of the individuals affected. Importantly, notification of breach is only required for unsecured personal health information. If a covered entity is in the practice of encrypting and/or destroying PHI in accordance with the National Institute of Standards and Technology (NIST), then that entity does not have to report a breach of their firewalls or access controls. It is only necessary to provide notice if “unsecured protected health information that is not secured through the use of technology or methodology specified…” is breached. The rationale is obvious. If a covered entity encrypts PHI in accordance with NIST standards, then the data is unusable in the event of a breach, and notification would be superfluous.

Consequently, a covered entity has two choices: (1) secure all EHRs that contain PHI; or (2) report breaches of PHI. The Breach Rule encourages cover entities to take the former approach. To secure EHRs that contain PHI, an entity must regularly perform two standard procedures. First, the NIST published standards recommend a “one pass” method of data deletion for most applications.[8] When electronic data is deleted, it is only removed from the file system. The “image” of the data physically remains on the hard drive of the device. Software and hardware methods of recovering deleted data are available to the public. Therefore, “deleted” PHI data could be recovered by an unauthorized entity in the event of a breach. The NIST recommends that one data overwrite be performed on the deleted data, as to render it unrecoverable. Depending on the method used and size of the database, data deletion can take up to an hour.

Second, and perhaps less straight forward, the NIST recommends data encryption using one the following four methods: full disk encryption; volume encryption; virtual disk encryption; or file/folder encryption.[9] The capital expenditure necessary to install and maintain encryption software/hardware throughout a covered entity is immense. Furthermore, encrypting millions of EMRs will tax computer processors and networks, and will additionally hamper interoperability. When data is encrypted it losses all functionality, and therefore must be decrypted by the authorized end-user before each use. It would be additionally problematic to transfer encrypted data throughout an electronic network, like that contemplated by the FDA, unless all systems were equip to recognize and decrypt the data. Thus, under either of the encryption methods above, the net result is a loss of productivity and interoperability. Moreover, encrypted data may not be mean secure data. The end-user authorized to access encrypted data will likely decrypt it during the course of a work day. Therefore, so-called encrypted PHI would be exposed to the same daily risks as unsecured PHI. Consequently, the nature of data encryption may not even provide the security and privacy that the Breach Rule contemplates.

While some covered entities are voluntarily choosing to encrypt and secure PHI, the impracticality and cost of data encryption is prohibitive. Covered entities were allowed 180 days to become compliant with the Breach Rule. That period has expired, and most covered entities have not opted to encrypt PHI. Instead, covered entities have put reasonable systems in place to detect breaches, as required by the Breach Rule. The Breach Rule requires notification without unreasonable delay once a covered entity learns of a breach. A majority of states already had breach notification laws in place, and thus covered entities had respective systems in place to detect and report breaches.

Reporting breaches under the Breach Rule still requires some capital expenditure. In some cases, notification to popular media outlets and the Secretary is required. This notification could potentially detract business and invite legal action. Of greater concern, a major breach and broadcast resulting in legal action may dissuade industry players from adopting EHR systems that could potentially reduce medical error and healthcare costs.[10] However, the burden of encrypting PHI is overwhelming, and perhaps ultimately ineffective. Consequently, the Breach Rule has done little to foster the actual security of PHI. In practice, covered entities merely provide notification of breach. It is unclear how this may or may not benefit a patient whose privacy has been breached. Deploying new EHR technology throughout the healthcare industry presents a risk to individual privacy that is not adequately addressed by the Breach Rule and HIPAA.

Privacy concerns should positively correlate with the volume of online EMRs. Pursuant to the FDAAA, 100 million EHRs will be linked within the FDA’s seminal network by July 2012. The sensitive and valuable nature of robust EHR databases will likely attract the attention of unauthorized parties around the world, and should therefore warrant a heightened level of security. Within two years, encryption technology may prove to be significantly smarter, cheaper, and more efficient. The concerns that bar covered entities from adopting data encryption may be lifted. While absolute data security is not likely attainable under any standard, software operating systems that integrate on-the-fly encryption would be ideal and foolproof. Rules and regulations should proportionately reflect advances in computer technology and the quantity of EMRs over the next two years. To protect public privacy and trust in our healthcare system, all PHI should eventually be encrypted by covered entities and their business associates.

---

[1] Hoffman and Podgurski, Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems, 22 Harv. J. L. & Tech 103.

[2] Id. at

[3] Id. at

[4] Food and Drug Administration Act of 2007 (FDAAA), 21 U.S.C. 355(k)(3).

[5] See, Hoffman, surpa note 1, at 113.

[6] 21 U.S.C. 355(k)(3). A qualified contract is similar to a business associate. The FDA contracts with entities that are deemed “qualified” within the meaning of the Act.

[7] See, HITECH, Pub. L. No. 111-5 Section 13401 and 13404.

[8] Special Publication 800-88, available at http://csrc.nist.gov.

[9] Special Publication 800-111, available at http://csrc.nist.gov.

[10] See, Hoffman, surpa note 1, at 104.

Reform Rodeo

1. Duff Wilson of the New York Times discusses the lack of transparency with respect to industry’s payments to doctors.

2. John Halamka gives a nice overview of the various PPACA initiatives–including pilot programs–that involve HIT.

3. A group of lawyers discuss the impact that the recent Supreme Court decision in Citizens United could have on health care.

4. Matthew Holt at The Health Care Blog describes a new poll conducted about PHRs, and some of the results are surprising.

5. Health Affairs has a nice summary of a round table discussion on reforming CMS in the era of Don Berwick.

6. Jason Shafrin of the Health Care Economist gives an overview of a new paper by Basu and Philipson that question some of the common assumptions of the economics of comparative effectiveness research.

Reform Rodeo: Latest News & Interviews; CER; the Constitution; HIT; Robotic Surgery

1. News: Kaiser Health News keeps you up to date by rounding up various stories on the Dems’ latest down-to-the-wire push on health reform. Their coverage of Representative Dennis Kucinich’s (and other reluctant Dems’) endorsement of the bill is here.

2. Betting on Health Care: The New York Times asks health wonks for opinions on the chances of passing health reform. Respondents include Robert Reich, former secretary of labor Gail Wilensky, Project Hope; Paul Starr, professor of public policy;  James C. Capretta, Ethics and Public Policy Center; Karen Davenport, Center for American Progress; Jacob S. Hacker, political science professor.

3. Evidence-based Medicine: A group at the New England Journal of Medicine proposes 5 steps to advance one of the most promising–yet often ignored–means of reforming our health care system: comparative effectiveness research.

4. Deem and Pass: Jonathan Adler at the Volokh Conspiracy discusses the constitutionality of the “deem and pass.” Regardless of its constitutionality, Ezra Klein exposes some factual inaccuracies in recent reporting on the tactic.

5. The Blues: The Pittsburgh Post-Gazette alerts us to a lawsuit by Highmark Inc. against the Pennsylvania Department of Insurance, which claims that the Department exceeded its authority when challenging Highmark’s proposed merger with Independence Blue Cross.

6. Meaningful Use Partial Credit: John Halamka at Life As A Healthcare CIO discusses the aggressive thresholds for meaningful use that have been set in the most recent rules, and what the HIT Policy Committee is doing to assuage those concerns.

7. Wild Card: A new TED talk about the current state of robotic surgery. An article covering the topic can be found here.

Reform Rodeo! The Summit, Speed Dating, and More.

1. Summit!: Fretting about how to get your dose of tomorrow’s “summit”? Don’t worry, CSPAN has got you covered for the Health Care Summit that is kicking off at 10am.

2. Managed Care Meltdown?: Joe Paduda at Managed Care Matters points out that the Anthem rate increases have shown an inability for private insurers to control costs.  What Paduda is missing in his piece is advice to private health insurers about how to manage costs without another “managed care backlash” like we had in the 1990s.

3. The Cost Conundrum’s Conundrum, or Just a Canard?: Maggie Mahar has a beef with the New York Times’ channeling of Dr. Bach’s New England Journal of Medicine article, where Dr. Bach criticized the  Dartmouth Atlas researchers’ methodology by claiming that they failed to risk adjust. Dr. Atul Gawande also believes the criticism is misplaced.

4. Health Care and Reconciliation are BFFs: NPR reports on a somewhat cozy relationship between reconciliation and previous health care initiatives.

5. What do speed dating and OB/GYN docs have in common? Kevin MD discusses how hospitals are utilizing speed dating techniques to match obstetricians with potential patients.

6. HIT, Yeah You Know Me: Dr. John Halamka with a slew of handouts from the HIT Policy Committee’s recent meeting, as well as notes from a recent meeting of the HIT Standards Commitee.

Google Buzz & Your Digital Health Doppelganger

At this point, it is fair to say that everyone has either heard or read about how Google’s latest foray into social networking, Google Buzz, has gotten off to a bumpy start due to privacy concerns. We can only speculate as to why Google failed to appreciate Buzz’s underwhelming privacy protections. Maybe Google was aware of the privacy issues but felt that they were outweighed by the “turn key” social network that would automatically be created by leveraging the user’s own Gmail contact list. Alternatively, Google may have simply not appreciated the privacy issues. Whether Buzz’s threats to privacy justified the immense firestorm that has occurred is besides the point. Regardless of whether the privacy issues are justified or not, as consumers utilize social networking tools to a greater degree, they are becoming more aware of the potential privacy problems, and are becoming more vocal when they disapprove.

One of the more troubling aspects of Google Buzz was that  it automatically created a network of users in your Buzz social network based on the addresses you emailed most in Gmail. Buzz would then automatically start following those contacts. The issue was compounded by the fact that Google made the list of people you were following on Buzz public by default. This automatic follow-and-tell-the-world approach that piggybacked off of Gmail users’ contact list has since been tweaked. Currently, a user joining Buzz is offered suggestions of who to follow, and those whom they choose to follow are not broadcast for the world to see.

A hypothetical within the health care setting may serve to illustrate why this approach was problematic, and will also illustrate why social networking may have profound implications for our “digital health doppelganger.” Under the initial iteration of Buzz, physicians using Buzz who were following the Buzz feeds of their patients would, simply by using the service, make the names of who they were following public to all their other followers.  In other words, a patient could see the names of all the individuals that their physician was following, including any who happen to be patients.  This situation could be disastrous both personally and economically if the individual was being treated by a physician specializing in schizophrenia or HIV/AIDS–diseases that have, for whatever reason, become highly stigmatized and prone to various discriminatory responses. It is therefore clear that myriad privacy and confidentiality issues arise, including questions of whether such information would be considered protected health information under HIPAA. That the disclosure of fiduciary relationships is troublesome is nothing unique to health care: in the legal profession, the mere existence of an  attorney-client relationship can be considered privileged information.

But back to Health IT, an area where  our digital health doppelganger is progressing through its adolescence in a landscape of social networks, electronic health records, and a highly fragmented health care delivery system. A number of general areas of concern arise. Including:

1) the online storage of our personal sensitive health information (e.g. in EHR and PHR databases, and Law Enforcement and “Fusion Centers”).

2) current modes of interfacing with our online health data (e.g. access viz. home computer, mobile phone, kiosks).

3) future modes of interfacing with our online health data (e.g. increasing mobile use, RFID, Smartcards, video playback of encounters).

4) how others will access and use our online health data (e.g. Primary care physician accessing our PHR, Site-wide access by Accountable Care Organizations, targeted advertising in PHRs based on the content found within the PHR service or services it can connect to).

5) how we will interact with the health data of others (e.g. PatientsLikeMe.com, increasing meta-analysis of health data available through future nationwide interoperable EHR systems).

6) how our increasingly digitized health care persona will exist alongside our professional and social personas.

Google and  Microsoft offer immensely useful services, but which concomitantly force us to more deeply analyze these issues, particularly the last issue, which both feeds back, and is affected by, each of the other issues. More than any other company, Google has sought to integrate their products to make communication and organization as seamless as possible. For example, The to-do list in Google Tasks is, not surprisingly, symbiotic with Google Calendar, while the latter service interfaces with Gmail by scanning the content of a user’s email for the tell tale signs of future events, and and offering to add a calendar entry.  For those of you not using Google, the right portion of the picture below illustrates how Google recognizes the contents of the email message, and asks the Gmail user if she wants to add the event to their Google Calendar.

The simple example above makes it easy to imagine similar features being offered in PHRs like Google Health and Microsoft HealthVault–PHRs that are provided by entities that either offer social networking tools alongside their PHRs, or who plan to somehow utilize outside data that is available through other means.  As consumers, we must determine how precocious we want our online health persona to be. It must be noted that there is nothing intrinsically wrong with this integration, and such integration certainly offers many benefits to providing better information to patients and physicians.

However, both Google and Microsoft are unique in that they are introducing personal health records to their users who have already ceded to them an extraordinary amount of highly personal information.  This raises interesting questions that will test our willingness to integrate our social network with our health identity. For example, how should Google Wave–Google’s new hybrid email/chat service–be interfaced with Google Health? Furthermore, what status will a physician-patient conversation thread on Google Wave or Google Buzz be provided? Is it more like a health record or a phone conversation? Would it be acceptable for Google Health to utilize health related information that it recognizes within your Gmail messages? Even though Google has refrained from displaying targeted ads within Google Health, would the reverse be acceptable, whereby Gmail advertisements are determined based on Google Health data?  Would it be inappropriate for Google Health to utilize information about your newly diagnosed diseases  to connect you to health-related social networks such PatientsLikeMe?

Users are likely to forget about Google Buzz’s initial oversights, especially in the short-attention span sphere that is the Internet. This is okay, so long as changes are made to appropriately address such glaring issues. We must, however, ensure that we tackle the much more difficult question of what limits to place on the subtle, yet no less powerful, forces that are altering the breadth of our increasingly digitized and integrated online persona.  For many of us, the personality of our digital health doppelganger is taking shape on our screens and our smartphones. Are we going to like what we see? And perhaps more importantly, will others?

Reform Rodeo

1. Principle or Posturing (or both)? –Kaiser Health News discusses the sudden plea from certain Senators for a reintroduction of the public plan into the Senate’s bill.

2. Starting From Scratch? — The Hill highlights polling indicating that many Americans favor scrapping the health bill and starting over, an option that President Obama has repeatedly said is not an option.

2a. Presidential Preemption? — Interestingly, the New York Times details the possibility of Obama posting his own health reform bill on the Internet ahead of the much-hyped health care summit. Could Obama use his “new” bill as evidence of a “fresh start” to appease Republicans?

3. Back to Basics — Maggie Mahar details the longstanding debate about whether health insurance actually saves lives.

4. Scoop on Standards — Dr. John Halamka, a physician who serves as CIO of Beth Israel Hospital and Chairman of the Health Information Technology Standards Panel (HITSP) at the ANSI, shares his thoughts on the vocabulary standards that will come to be the Esperanto of HIT.

5. HIT Funding — On Febuary 12th, the first $1 billion of federal funding for HIT promised under the HITECH Act was made available, with $10.6 million going to Massachusetts for the creation of a health information exchange.

6. Health Reform “Casualty”: The New York Times reported that former Congressman-turned head of PhRMA Billy Tauzin is resigning.  Betting on the passage of health reform, Tauzin offered billions in concessions to the White House in exchange for, among other things, favorable patent exclusivity periods for pricey biologics.

7. Health 2.0 — The Health Care Blog reports on the purchase of online pain management company ReliefInSite.com by PatientsLikeMe.com–the popular patient web site which claims to be the  “leading online community for patients with life-changing diseases.” Don’t be to surprised to see further growth of similar “Health 2.0″ websites that seek to take advantage of the increasing digitization of health care delivery and research.

8. The Science Behind Reform — Stephen Novella at Science-Based Medicine revisits the question of the effectiveness of colonoscopies.

Things You Wanted to Know About the New HIT Standards But Were Too Afraid to Ask

In a previous post I discussed the interim final rule (IFR) that was recently promulgated by the Office of the National Coordinator for Health Information Technology (ONC).  The previous post discussed two of the four categories of standards in the IFR. This post will look at the final two categories. In order to appreciate the purpose of the final two standards, it is worth recapitulating the basic framework upon which the IFR is based.

The ONC’s framework for the standards is to first start with the meaningful use objectives. From the broad objectives of meaningful use, the ONC establishes certification criteria for these objectives. Based on the certification criteria, the ONC has adopted standards that would allow for an objective determination of whether the criteria has been met.

An example will help: One of the meaningful use objectives is “the capability to exchange key clinical information among providers of care and patient authorized entities electronically.”  To achieve this objective, “Certified EHRs” will have to meet the following criteria: “[The EHR system must] electronically receive a patient summary record, from other providers and organizations including, at a minimum, diagnostic test results, problem list, medication list, immunizations, and procedures and upon receipt of a patient summary record formatted in an alternative standard specified in Table 2A row 1, displaying it in human readable format.”

In order to guide EHR vendors (and purchasers) in fulfilling the above criteria–and likewise the larger meaningful use objective–the ONC has adopted a number of standards that EHRs must utilize in order to be certified. These standards fall into 4 general categories.

1. Vocabulary Standards — The standardized nomenclatures and code sets used to describe clinical problems and procedures, medications and allergies.
2. Content Exchange Standards –  The standards used to share clinical information such as clinical summaries, prescriptions, and structured electronic documents.
3. Transport Standards — The standards used to establish a common, predictable, secure communication protocol between systems.
4. Privacy and Security Standards — Standards relating to authentication, access control, transmission security which relate to and span across all of the other types of standards.

My previous post provided a general overview of the first two standards, the first of which specifies the language of “EHR speak,” while the second specifies standards giving that EHR vocabulary a predictable organization so as to ensure that different EHR systems can interpret the data.

In the previous post I used the analogy of the Bluebook style of citation to explain the content exchange standard and vocabulary standard. As you can see, the following two citations share the same basic organization (e.g. case name in italics, followed by the reporter volume number, name of the reporter, starting page of case, etc).

Wilson v. Mar. Overseas Corp., 150 F.3d 1 (1st Cir. 1998)

Orange County Agric. Soc’y, Inc. v. Comm’r, 893 F.2d 529 (2d Cir. 1990).

The content exchange standard is analogous to the order of the different elements of the citation. Regardless of the case, all Bluebook citations to federal court of appeals cases have this same basic organization. The part that changes is the vocabulary. As you can see in the cases above, two different reporters (publishers) have been used: F.3d and F.2d.  There are still only limited options for the vocabulary of court reporters.  Likewise, even though the organization of a patient’s record will remain constant, it will obviously consist of different terms depending on, among other things, the patient’s diagnosis and test results. The possible terms within the chart are determined by the vocabulary standards.

Essentially, the signifier and syntax standards are meant to save us from constructing a costly high-tech Tower of Babel. A sign (word, letter, number, symbol) displayed in a particular way must have an agreed to and discernible meaning.

With these two standards in mind, a brief overview of the latter two standards is possible.

Transport Standards

Though the data is sitting on server A in a structured format–governed by the content exchange and vocabulary standards discussed above–there is more that needs to occur for the data to be useful. For example, Computer A must “know” how to send a request for that data in a way that Computer B can understand. Likewise, Computer B must “know” how to respond to Computer A’s request, i.e., how to structure the response it will give to Computer A. This is where the third category of “transport standards” becomes important.

Luckily for us, one of the transport standards (SOAP) adopted by the ONC is the same standard used by LexisNexis. This allows us to continue our analogy.

When I log onto LexisNexis, I have the opportunity to enter a citation. The citation must be entered in the same basic order that the Bluebook citation provides. Therefore, utilizing the first case cited above, I would type in:

150 F.3d 1

The name of the parties in the case is not necessary since only one case occurs at a given page (page 1) of a reporter’s (F.3d) volume (150). If I submit that citation and Lexis recognizes it, Lexis will then display the case. The beautiful thing about Lexis (and Westlaw) is that the case data, like the citations, has a specified organization–analogous to the organization specified by content exchange standards. One discrete element common to all Lexis cases is a field listing the parties’ counsel. Let’s say that I am an iPhone application developer and I want to create a simple application that would allow a user with a Lexis account to type in a citation like the one above, and in response the program would output the opposing counsel field (as opposed to the whole case). My application would need to know how to trigger Lexis’s server to go and find that information in the database. Likewise, the Lexis database must know how to package and send that data back to the client application. Thus, the fact that Lexis organizes data like citations and counsel into organized fields with specific vocabulary is not sufficient. Rather, there must be a standard governing the requests of specific information, as well as how that information should be formatted and transmitted. This is the role of the “transport standards.”

The ONC adopted two alternative standards–the SOAP standard and the REST standard–to govern requests and responses between client and server computers. As stated above, the SOAP standard is used by Lexis (and other Internet sites) to allow other applications and services to be able to interact with it. That Lexis uses the same standard as that adopted in the HIT interim final rule helps to illustrate the broad nature of  transport standards. Unlike the content exchange and vocabulary standards that are unique to the practice of health care, the transport standards ensure that services wishing to interact with a server have an agreed upon framework by which to accomplish the interaction.  As becomes obvious from this discussion, ensuring the proper implementation of the transport standards is critical to meeting the meaningful use objective described earlier that dealt with exchanging clinical information among providers. Additionally, having a specified standard for requesting and receiving the data is crucial for personal health record (PHR) services that seek to interface with the databases of health care providers in order to retrieve and display certain information to the consumer of the PHR.

Privacy and Security Standards

The fourth group of standards deals with privacy and security, and for the most part, this part of the IFR is straightforward. The reason for the straightforwardness is that the ONC has decided to model their privacy and security criteria off of HIPAA’s Privacy and Security Rules. Therefore, there are no real surprises. With that said, the HITECH Act does direct the various HIT committees as well as the ONC to look at capabilities beyond those specified in the HIPAA Security Rule. Thus, even though the IFR does not change the privacy and security landscape in any major way, there is no promise that things won’t change in the future.

Specifically,  the ONC has adopted standards for certain aspects of HIPAA but not others. For example, standards have been adopted for the encryption of data, but not for “access control” measures that are used to prevent unauthorized access at computer terminals connected to EHR systems. The ONC’s rationale is that the methods of regulating access are evolving at a rapid pace, whereas there are industry best practices available for encrypting information. As a result, the ONC requires all certified EHR systems to be capable of encrypting their data. This is somewhat remarkable given that HIPAA and HITECH do not require all entities to use encryption. The ONC believes that this capability will spur the use of encryption by making it available to all consumers of certified EHR systems. Furthermore, the implementation of encryption by HIPAA covered entities is important because it acts as a safe harbor, relieving them of the responsibility of having to report a data breach.

As Table 2B shows, the ONC distinguishes between the general encryption of stored data on the one hand and the encryption of transmitted data on the other hand. Please click on the thumbnail below to enlarge the table.

The ONC has stated numerous times that the IFR in no way changes the responsibilities of covered entities or business associates under HIPAA (and HITECH). Rather, it solely concerns the capabilities of certified EHR systems.

« Previous Page — Next Page »